Each company that collects, processes, shares, stores, or disposes of personal data must ensure that these data are protected with the appropriate security measures. The Federal Trade Commission and State Attorneys General have interpreted the Federal and State Unfair and Deceptive Practices Acts to require the use of appropriate security policies and procedures. Numerous laws, regulations, and industry standards contain specific detailed provisions that define the required security safeguards.
Adopting reasonable security measures makes sense. Failure to do so exposes a company to fines or penalties from the regulators, class action suits for negligence by injured parties, and much more. If personal data are lost, exposed or compromised, the incident is likely to become known by the public, and in many cases, widely reported on blogs and tweets.
- Goodwill Erosion – Bad press will negatively affect the image and brand of the company.
- Financial Loss – Customers will take their business elsewhere; sales will be lost. The company will incur great expenses to compensate those whose personal data were affected by the incident.
- Decreased Market Value – The value of the stock and market capitalization is likely to decrease.
- Fines, Penalties or Damages – The disclosure of the deficiencies in the company data security policies and data handling practices, or its failure to comply with relevant laws may result in the assessment of significant fines or penalties by the regulators, stringent reporting and auditing requirements and much more.
We have worked on data protection matters since the early 1990s, and have a unique in-depth, experience and expertise with these issues. We have assisted hundreds of businesses of all sizes, in all markets, with respect to data security issues. We keep abreast of the most recent data security legal developments in the United States and abroad.
The depth and breadth of our knowledge of the data security bills, laws, regulations, government enforcement actions, jurisprudence, standards and industry guidelines provide the framework within which we advise businesses, shape internal policies, procedures and processes, and draft contracts that follow the applicable mandates, or train the company’s workforce and leadership on the relevant data protection issues and recent developments.
Our compliance services aim at providing our clients with the ability to understand the requirements of the complex and ever changing requirements that apply to their business. As security counsel to businesses, we have worked on a variety of data security matters.
Counseling on Applicable Laws and Standards
Depending on the market in which our client evolves, different laws apply to their business. We are very familiar with these laws and can quickly respond to their request, usually without any research time. For example, we regularly counsel our clients, on the data security laws and regulations that govern the handling of:
- Financial information – under the Gramm Leach Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), Fair and Accurate Credit Transaction Act (FACTA), Red Flags Rules;
- Healthcare information – under the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act;
- Children information – as required under the Children Online Privacy Protection Act (COPPA) and other Federal and State laws;
- Company documents management – in connection with record disposal laws;
- Data of foreign residents, which are protected under foreign data protection laws such as those in force in Member States of the European Union;
- State data security laws and regulations, such as the Massachusetts security regulations;
- Security breach disclosure laws;
- Industry standards, e.g. PCI DSS.
Development of Policies and Procedures
We work in tandem with our clients’ CTO, CIO, CSO, and CISO to develop or improve data security policies and procedures that comply with the applicable data security laws. We may, for example:
- Review and revise existing data security policies;
- Develop new data security policies;
- Develop form documents for use in due diligence;
- Develop “security addendum” for use in combination with a services agreement, such as a payroll processing agreement.
Data Security Issues in Commercial Contracts
Commercial contracts in which the parties share or exchange personal data involve significant data security issues that result from each party’s obligation to comply with the myriad applicable data security legal requirements that govern the collection, processing, sharing or disposal of personal data.
As data security counsel, we guide our clients through the maze of the legal requirements and restrictions that may affect the proposed transaction. For example, we:
- Address the data security issues in RFPs or RFIs; review third party questionnaires; prepare responses;
- Perform the appropriate legal data security due diligence in preparation for the transaction;
- Clarify for the client the provisions or disclosures with respect to data security that are made in form agreements used by their counterparts;
- Assist the client through the lengthy and complex process of the negotiations of the data security provisions in the related agreements;
- Structure and negotiate a comprehensive contract that addresses the numerous data security issues raised by the processing of personal data;
- Guide the client through the monitoring obligations, in order to ensure the proper performance of the data security obligations of the service provider under the executed contracts and the continued protection of the personal data throughout the life of the contract;
- Ensure, during the life of the contract, that the necessary supervision, monitoring, and auditing of the performance of the vendor’s data security obligations is periodically conducted; and
- Ensure, upon termination of the relationship, that all personal data are securely transferred and deleted within the applicable legal or contractual requirements.
Security Breach Disclosure
We assist companies in the development of documentation as necessary to prepare for the eventuality of a breach of security of their systems.
If a breach of security occurs, we work with the client on responding promptly to the incident in a manner that is consistent with the applicable laws.
Awareness and Training
We enhance our clients’ training program, by providing to their personnel targeted, relevant, up-to-date training on applicable data security laws and regulations. This training is required under many laws and regulations, Federal Trade Commission and State Attorneys General rulings. It is also necessary for the workforce to keep up with the ever-changing legal landscape.
We have conducted training with respect to many aspects of data security, such as:
- US and foreign data protection laws;
- The effect of security laws and regulations on the creation, maintenance and use of databases of employee, client or marketing information;
- Data security requirements affecting inter-company and intra-company transfers of data;
- Data security requirements in outsourcing and cloud computing transactions;
- Security in the Cloud.